Patent
Attorney Docket No: 10559-755001/P13653
Abstract of the Disclosure
Intrusion preludes may be detected (including detection
using fabricated responses to blocked network requests) , and
particular sources of network communications may be singled
out for greater scrutiny, by performing intrusion analysis
on packets blocked by a firewall. An integrated intrusion
detection system uses an end-node firewall that is
dynamically controlled using invoked-application information
and a network policy. The system may use various alert
levels to trigger heightened monitoring states, alerts sent
to a security operation center, and/or logging of network
activity for later forensic analysis. The system may
monitor network traffic to block traffic that violates the
network policy, monitor blocked traffic to detect an
intrusion prelude, and monitor traffic from a potential
intruder when an intrusion prelude is detected. The system
also may track behavior of applications using the network
policy to identify abnormal application behavior, and
monitor traffic from an abnormally behaving application to
identify an intrusion.
10155500.doc
38